Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
786
Views
0
Helpful
5
Replies

pix 501 external ips to internal ips translation?

dresk2005
Level 1
Level 1

‎07-27-2005 08:35 PM - edited ‎02-21-2020 12:18 AM

I have 4 external ips (let's call them A, B, C and D). I assiged IP address A as the external interface on the pix501. I would like to have the pix501 forward traffic from the external ips B,C,D to internal server ip's. Is that possible and, if so, how?

Example:

traffic to external ip B <-> pix501 <-> internal server E

traffic to external ip C <-> pix501 <-> internal server F

traffic to external ip D <-> pix501 <-> internal server G

the pix501 is connected to a cable modem so the setup I'm trying to do is:

internet <-> cable modem <-> pix501 <-> internal servers

0 Helpful
5 Replies 5

paddyxdoyle
Level 6
Level 6

‎07-28-2005 02:44 AM

Hi,

You can do this using the static command:

static (inside,outside) netmask 255.255.255.255

static (inside,outside) netmask 255.255.255.255

static (inside,outside) netmask 255.255.255.255

Then you need to create an access-list, for example to permit HTTP to these servers:

# access-list outside_in permit tcp any host eq www

# access-list outside_in permit tcp any host eq www

# access-list outside_in permit tcp any host eq www

Then you need to apply access-list to outside interface:

# access-group outside_in in interface outside

HTH

PJD

0 Helpful

dresk2005
Level 1
Level 1
In response to paddyxdoyle

‎07-28-2005 08:58 AM

I tried that and I still can't access the servers from the outside.

Here's a copy of my config if I'm missing something.

Thanks

------

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXX encrypted

passwd XXXXX encrypted

hostname XXXXX

domain-name XXXXX.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list outside_in permit tcp any host external_IP_B eq ssh

access-list outside_in permit tcp any host external_IP_C eq ssh

access-list outside_in permit tcp any host external_IP_D eq ssh

access-list outside_in permit tcp any host external_IP_B eq www

access-list outside_in permit tcp any host external_IP_C eq www

access-list outside_in permit tcp any host external_IP_D eq www

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside external_IP_A 255.255.255.248

ip address inside 10.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

static (inside,outside) external_IP_B 10.1.1.11 netmask 255.255.255.255 0 0

static (inside,outside) external_IP_C 10.1.1.12 netmask 255.255.255.255 0 0

static (inside,outside) external_IP_D 10.1.1.13 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 external_IP_of_gateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

0 Helpful

rsmith
Level 3
Level 3
In response to dresk2005

‎08-02-2005 03:19 PM

The config looks good, you are missing the NAT command, "nat (inside) 1 0 0" to go with your global command, but this should not affect the static entries. Could you post or describe the log entries when attempting access to the web servers from outside?

0 Helpful

maraz
Level 1
Level 1
In response to dresk2005

‎08-05-2005 12:37 AM

Hello,

Like they say your config looks okey. There are two possibilities I can give you:

1) How about the servers on the inside. Do they have a default gateway pointing at the PIX.

2) When configuring the statics did you do a "clear xlate"?

Best Regards

Robert Maras

0 Helpful

carl.fuller
Level 1
Level 1

‎07-28-2005 07:58 AM

I've read that you can't do it on the 501. I've never tried it. Try the Following:

static (highersecurityinterface,lowersecurityinterface) externalip internalip

Ex.

High Sec Interface: inside security100

Low Sec Interface: outside security 0

Web Server Internal IP: 10.1.1.10

Web Server External IP: 108.218.176.150

actual command:

static (inside,outside) 108.218.176.150 10.1.1.10 0 0

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card